Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

How remove XXWWW.DLL [RESOLVED]

Started by pedroparra , Apr 08 2006 05:45 PM

  • This topic is locked This topic is locked

#1
pedroparra
Posted 08 April 2006 - 05:45 PM

pedroparra

    Member

  • Member
  • PipPip
  • 15 posts
Hi all,

I am having some issues with my computer and after installing SP2 and updates, cleaning with Spybot in safe mode I have the following HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:24:35, on 09/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Temp\delete paytime\HijackThis.exe
C:\WINDOWS\SYSTEM32\rundll32.exe

O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\SYSTEM32\xxwww.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AgenteADSL_15] C:\Archivos de programa\Telefonica\KitAIM\AimExDll.exe AimGestA.dll 9 run
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Archivos de programa\Nokia\Nokia PC Suite 5\PcSync2.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1144446099482
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1144446257940
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\g8400ihme84a0.dll
O20 - Winlogon Notify: xxwww - C:\WINDOWS\SYSTEM32\xxwww.dll
O23 - Service: Servicio de registro de McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


All the xxwww.dll entries are very suspicious and if I fix it, they appear again.

The file xxwww.dll is located in \windows\system32 but is imposible to delete because always I get the message "Imposible to delete because is used by another process". I have tried in many ways to delete it but is imposible.

Any great guy can help this poor and suffered spaniard?

Thanks a lot!
  • 0

Advertisements

#2
Armodeluxe
Posted 08 April 2006 - 05:58 PM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi pedroparra,

When you post your next log, please post it from normal mode, not safe mode.

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX
  • 0

#3
pedroparra
Posted 09 April 2006 - 02:24 AM

pedroparra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I executed look2me and it finded some stuff but xxwww.dll is still there and imposible to delete:


HERE IS THE LOOK2ME-DESTROYER TXT: -------------------------------------------------------------------

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 09/04/2006 10:08:05

Infected! C:\WINDOWS\system32\n6l8lg3u16.dll
Infected! C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP360\A0107693.dll
Infected! C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP360\A0107726.dll
Infected! C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107817.dll
Infected! C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107847.dll
Infected! C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107850.dll
Infected! C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107858.dll
Infected! C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107874.dll
Infected! C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108100.dll
Infected! C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108114.dll
Infected! C:\WINDOWS\system32\acsnt.dll
Infected! C:\WINDOWS\system32\agicap32.dll
Infected! C:\WINDOWS\system32\ari2dvaa.dll
Infected! C:\WINDOWS\system32\dgskadp.dll
Infected! C:\WINDOWS\system32\dHdim700.dll
Infected! C:\WINDOWS\system32\dnpo0173e.dll
Infected! C:\WINDOWS\system32\dnro0193e.dll
Infected! C:\WINDOWS\system32\DT240.dll
Infected! C:\WINDOWS\system32\fp6403jqe.dll
Infected! C:\WINDOWS\system32\irpol5731.dll
Infected! C:\WINDOWS\system32\ktdcz1.dll
Infected! C:\WINDOWS\system32\li_encrypt.dll
Infected! C:\WINDOWS\system32\meperf.dll
Infected! C:\WINDOWS\system32\mjxclu.dll
Infected! C:\WINDOWS\system32\mpcertui.dll
Infected! C:\WINDOWS\system32\mzdscli.dll
Infected! C:\WINDOWS\system32\n4r20e9oeh.dll
Infected! C:\WINDOWS\system32\n6l8lg3u16.dll
Infected! C:\WINDOWS\system32\ntth.dll
Infected! C:\WINDOWS\system32\rXsctrs.dll
Infected! C:\WINDOWS\system32\tcddd.dll
Infected! C:\WINDOWS\system32\wtnhttp.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\n6l8lg3u16.dll
C:\WINDOWS\system32\n6l8lg3u16.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP360\A0107693.dll
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP360\A0107693.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP360\A0107726.dll
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP360\A0107726.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107817.dll
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107817.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107847.dll
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107847.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107850.dll
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107850.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107858.dll
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107858.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107874.dll
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107874.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108100.dll
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108100.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108114.dll
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108114.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\acsnt.dll
C:\WINDOWS\system32\acsnt.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\agicap32.dll
C:\WINDOWS\system32\agicap32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ari2dvaa.dll
C:\WINDOWS\system32\ari2dvaa.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dgskadp.dll
C:\WINDOWS\system32\dgskadp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dHdim700.dll
C:\WINDOWS\system32\dHdim700.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dnpo0173e.dll
C:\WINDOWS\system32\dnpo0173e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dnro0193e.dll
C:\WINDOWS\system32\dnro0193e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\DT240.dll
C:\WINDOWS\system32\DT240.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fp6403jqe.dll
C:\WINDOWS\system32\fp6403jqe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\irpol5731.dll
C:\WINDOWS\system32\irpol5731.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ktdcz1.dll
C:\WINDOWS\system32\ktdcz1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\li_encrypt.dll
C:\WINDOWS\system32\li_encrypt.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\meperf.dll
C:\WINDOWS\system32\meperf.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mjxclu.dll
C:\WINDOWS\system32\mjxclu.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mpcertui.dll
C:\WINDOWS\system32\mpcertui.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mzdscli.dll
C:\WINDOWS\system32\mzdscli.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n4r20e9oeh.dll
C:\WINDOWS\system32\n4r20e9oeh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n6l8lg3u16.dll
C:\WINDOWS\system32\n6l8lg3u16.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ntth.dll
C:\WINDOWS\system32\ntth.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rXsctrs.dll
C:\WINDOWS\system32\rXsctrs.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\tcddd.dll
C:\WINDOWS\system32\tcddd.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wtnhttp.dll
C:\WINDOWS\system32\wtnhttp.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7734A382-6D46-4053-B446-37A66B94B2C0}"
HKCR\Clsid\{7734A382-6D46-4053-B446-37A66B94B2C0}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EB5CF0F4-2357-40DE-9460-465C4C53A7EF}"
HKCR\Clsid\{EB5CF0F4-2357-40DE-9460-465C4C53A7EF}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1C9FD646-C814-474E-8F15-7EF3C728CE51}"
HKCR\Clsid\{1C9FD646-C814-474E-8F15-7EF3C728CE51}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administradores - Succeeded


AND HERE THE NEXT HIJACKTHIS LOG ---------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:17:20, on 09/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ntsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE
C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe
C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\TBMon.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Telefonica\KitAIM\AimMon.exe
C:\Temp\delete paytime\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo.com/
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\SYSTEM32\xxwww.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AgenteADSL_15] C:\Archivos de programa\Telefonica\KitAIM\AimExDll.exe AimGestA.dll 9 run
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Archivos de programa\Nokia\Nokia PC Suite 5\PcSync2.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1144446099482
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1144446257940
O20 - Winlogon Notify: xxwww - C:\WINDOWS\SYSTEM32\xxwww.dll
O23 - Service: Servicio de registro de McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NTSec(ntsec) (NTSec) - Unknown owner - C:\WINDOWS\system32\ntsec.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thanks a lot for your help!!
Pedro
  • 0

#4
Armodeluxe
Posted 09 April 2006 - 05:45 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Everything by order :whistling: Vundofix will take care of that.

1) Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\system32\ntsec.exe
  • Click on the submit button
  • Please post the results in your next reply.
2) Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

  • 0

#5
pedroparra
Posted 09 April 2006 - 10:14 AM

pedroparra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I couldn't pass the Jotti's malware scan because always got a "server busy" message.

Anyway I passed VundoFix and it also delete some stuff.

After executed VundoFix and the reboot I could delete xxwww.dll at last!

The VundoFix log is: ----------------------------------------------------------------------


VundoFix V4.2.57

Checking Java version...

Sun Java not detected
Scan started at 17:37:04 09/04/2006

Listing files found while scanning....

C:\WINDOWS\system32\iifdb.dll
C:\WINDOWS\system32\bdfii.ini

Attempting to delete C:\WINDOWS\system32\iifdb.dll
C:\WINDOWS\system32\iifdb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bdfii.ini
C:\WINDOWS\system32\bdfii.ini Has been deleted!

Performing Repairs to the registry.
Done!


And my HijackThis log is now: ------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 17:57:52, on 09/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ntsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE
C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe
C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Telefonica\KitAIM\AimMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Temp\delete paytime\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo.com/
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AgenteADSL_15] C:\Archivos de programa\Telefonica\KitAIM\AimExDll.exe AimGestA.dll 9 run
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Archivos de programa\Nokia\Nokia PC Suite 5\PcSync2.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1144446099482
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1144446257940
O23 - Service: Servicio de registro de McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


It seems a lot more cleaned.

Am I yet in danger?

Thanks a lot.

Pedro
  • 0

#6
pedroparra
Posted 09 April 2006 - 10:30 AM

pedroparra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Later I could pass the Jottin Scan.

Here are the results and it seems that the file is inffected. Ups!


Jotti's malware scan --------------------------------------------------------------

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web Program.Ardamax
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus not-a-virus:Monitor.Win32.Ardamax.k
NOD32 X
Norman Virus Control X
UNA X
VirusBuster X
VBA32 Trojan-Dropper.VB.22


Thanks!!!
  • 0

#7
Armodeluxe
Posted 09 April 2006 - 11:20 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
That file belongs to a keylogger. Did you or anyone else using the computer install Ardamax Keylogger?

If you don't know how it's on your computer we will remove it, but let's run an online scan and see if there are any other files we have to deal with.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Also let me know about the keylogger and if you are having any more problems.
  • 0

#8
pedroparra
Posted 09 April 2006 - 03:25 PM

pedroparra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi,

Here you have the Kaspersky report and it seems that my computer is really infected!

About the keylogger I never installed one and it should be inmediately.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, April 09, 2006 11:19:16 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 9/04/2006
Kaspersky Anti-Virus database records: 187108
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 66952
Number of viruses found: 20
Number of infected objects: 108
Number of suspicious objects: 0
Duration of the scan process: 02:35:55

Infected Object Name / Virus Name / Last Action
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Folders\ibm00015.dll Infected: Trojan-PSW.Win32.Sinowal.h skipped
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Folders\ibm00016.dll Infected: Trojan-PSW.Win32.Sinowal.h skipped
C:\cuarentena\svchost.exe.Vir Infected: Trojan-Downloader.Win32.Agent.aic skipped
C:\cuarentena\svchost.exe.Vir.0 Infected: Trojan-Downloader.Win32.Agent.aic skipped
C:\cuarentena\svchost.exe.Vir.1 Infected: Trojan-Downloader.Win32.Agent.aic skipped
C:\cuarentena\svchost.exe.Vir.2 Infected: Trojan-Downloader.Win32.Agent.aic skipped
C:\cuarentena\svchost.exe.Vir.3 Infected: Trojan-Downloader.Win32.Agent.aic skipped
C:\cuarentena\svchost.exe.Vir.4 Infected: Trojan-Downloader.Win32.Agent.aic skipped
C:\cuarentena\wumd.exe.Vir Infected: Backdoor.Win32.SdBot.anx skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\8PYBGDMZ\qpjvq[1].txt Infected: not-virus:Hoax.Win32.Renos.ca skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\8PYBGDMZ\rpxsdpoa[1].txt Infected: Trojan-Downloader.Win32.Agent.aef skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\8PYBGDMZ\zqlxfrp[1].htm Infected: Trojan.Win32.Harnig.k skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\8PYBGDMZ\z[1].jpg/stream/data0001 Infected: Trojan-Downloader.Win32.Agent.aic skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\8PYBGDMZ\z[1].jpg/stream/data0002 Infected: Trojan-Downloader.Win32.Harnig.bg skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\8PYBGDMZ\z[1].jpg/stream Infected: Trojan-Downloader.Win32.Harnig.bg skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\8PYBGDMZ\z[1].jpg NSIS: infected - 3 skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\OX6ROT6J\lewl[1].exe/stream/data0001 Infected: Trojan-Downloader.Win32.Harnig.bg skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\OX6ROT6J\lewl[1].exe/stream Infected: Trojan-Downloader.Win32.Harnig.bg skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\OX6ROT6J\lewl[1].exe NSIS: infected - 2 skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\OX6ROT6J\lewl[2].exe/stream/data0001 Infected: Trojan-Downloader.Win32.Harnig.bg skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\OX6ROT6J\lewl[2].exe/stream Infected: Trojan-Downloader.Win32.Harnig.bg skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\OX6ROT6J\lewl[2].exe NSIS: infected - 2 skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\OX6ROT6J\lgkqadw[1].txt Infected: Trojan.Win32.StartPage.adi skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\OX6ROT6J\lgkqadw[2].txt Infected: Trojan.Win32.StartPage.adi skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\OX6ROT6J\qtonlgf[1].txt Infected: Trojan-PSW.Win32.Sinowal.d skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\OX6ROT6J\qtonlgf[2].txt Infected: Trojan-PSW.Win32.Sinowal.d skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\W1YV016Z\bweql[1].txt Infected: not-virus:Hoax.Win32.Renos.ca skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\W1YV016Z\bweql[2].txt Infected: not-virus:Hoax.Win32.Renos.ca skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\W1YV016Z\fdygedc[1].txt Infected: Trojan-PSW.Win32.Sinowal.d skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\WDQZ05YF\fdygedc[1].txt Infected: Trojan-PSW.Win32.Sinowal.d skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\WDQZ05YF\fdygedc[2].txt Infected: Trojan-PSW.Win32.Sinowal.h skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\WDQZ05YF\pxfvqsr[1].txt Infected: Trojan.Win32.StartPage.adi skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\WDQZ05YF\qpjvq[1].txt Infected: not-virus:Hoax.Win32.Renos.ca skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\WDQZ05YF\zqlxfrp[1].htm Infected: Trojan.Win32.Harnig.k skipped
C:\Documents and Settings\Pedro Rodriguez\Configuración local\Archivos temporales de Internet\Content.IE5\97NF5LCE\drsmartload45a[1].exe Infected: Trojan-Downloader.Win32.Adload.ai skipped
C:\Documents and Settings\Pedro Rodriguez\cz32.exe/data.rar/rm32.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\Documents and Settings\Pedro Rodriguez\cz32.exe/data.rar/dr32.exe Infected: Trojan-Downloader.Win32.VB.vz skipped
C:\Documents and Settings\Pedro Rodriguez\cz32.exe/data.rar Infected: Trojan-Downloader.Win32.VB.vz skipped
C:\Documents and Settings\Pedro Rodriguez\cz32.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\Pedro Rodriguez\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-2a371830.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Pedro Rodriguez\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-2a371830.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP360\A0107723.exe/data.rar/rm32.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP360\A0107723.exe/data.rar/dr32.exe Infected: Trojan-Downloader.Win32.VB.vz skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP360\A0107723.exe/data.rar Infected: Trojan-Downloader.Win32.VB.vz skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP360\A0107723.exe RarSFX: infected - 3 skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP360\A0107724.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP360\A0107725.exe Infected: Trojan-Downloader.Win32.VB.vz skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107845.exe/data.rar/rm32.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107845.exe/data.rar/dr32.exe Infected: Trojan-Downloader.Win32.VB.vz skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107845.exe/data.rar Infected: Trojan-Downloader.Win32.VB.vz skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107845.exe RarSFX: infected - 3 skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP361\A0107846.exe Infected: Trojan-Downloader.Win32.VB.vz skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108110.exe Infected: Trojan-Downloader.Win32.VB.aad skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108116.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108117.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108118.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108119.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108120.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108121.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108122.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108123.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108124.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108125.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108126.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108127.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108128.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108129.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108130.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108131.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108132.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108133.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108134.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108135.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP362\A0108187.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP363\A0108271.dll Infected: Trojan-PSW.Win32.Sinowal.d skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP363\A0108272.dll Infected: Trojan-PSW.Win32.Sinowal.d skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP363\A0108362.exe Infected: Trojan-PSW.Win32.Sinowal.h skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP363\A0108367.exe Infected: not-virus:Hoax.Win32.Renos.ca skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP363\A0108369.exe Infected: not-virus:Hoax.Win32.Renos.ca skipped
C:\System Volume Information\_restore{6851C1F0-AC29-468A-BD4F-23A48FEB3BAC}\RP363\A0108386.exe Infected: Trojan-Downloader.Win32.VB.aad skipped
C:\Temp\delete paytime\backups\backup-20060408-140116-633.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\Temp\delete paytime\backups\backup-20060408-140835-780.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\Temp\delete paytime\backups\backup-20060408-151312-487.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\Temp\delete paytime\backups\backup-20060408-151622-640.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\Temp\delete paytime\backups\backup-20060408-151738-457.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\Temp\delete paytime\backups\backup-20060408-162630-833.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\Temp\delete paytime\backups\backup-20060408-174041-326.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\Temp\delete paytime\backups\backup-20060409-012423-567.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\Temp\delete paytime\backups\backup-20060409-101755-780.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\WINDOWS\keyboard9.exe Infected: Trojan-Downloader.Win32.VB.aaf skipped
C:\WINDOWS\newname9.exe Infected: Trojan-Downloader.Win32.VB.aaf skipped
C:\WINDOWS\OEM.exe Infected: Trojan-PSW.Win32.Agent.fv skipped
C:\WINDOWS\OEM.exe.bak Infected: Trojan-PSW.Win32.Agent.fv skipped
C:\WINDOWS\system32\cbaxu.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\WINDOWS\system32\dr32.exe Infected: Trojan-Downloader.Win32.VB.vz skipped
C:\WINDOWS\system32\efcax.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\WINDOWS\system32\geecb.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\WINDOWS\system32\kernels8.exe Infected: Packed.Win32.PePatch.z skipped
C:\WINDOWS\system32\ljjkh.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\WINDOWS\system32\pmkif.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\WINDOWS\system32\rm32.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\WINDOWS\system32\svch82.dll Infected: Trojan-Downloader.Win32.Small.cqf skipped
C:\WINDOWS\system32\vtsqn.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\WINDOWS\system32\vxd32.dll Infected: Backdoor.Win32.Agent.vc skipped
C:\WINDOWS\system32\win_f.exe Infected: Trojan-Downloader.Win32.Agent.aef skipped
C:\WINDOWS\system32\wvwuu.dll Infected: Trojan-Downloader.Win32.ConHook.y skipped
C:\WINDOWS\Temp\1.exe Infected: Trojan-Downloader.Win32.Agent.aic skipped
C:\WINDOWS\Temp\adv.exe Infected: Trojan-Downloader.Win32.Harnig.bg skipped

Scan process completed.

Thanks a lot!!!
  • 0

#9
Armodeluxe
Posted 10 April 2006 - 05:24 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Please download the Killbox.
Unzip it to the desktop.

1) Please run Killbox.

2) Select "Delete on Reboot". Click on "All Files".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Folders\ibm00015.dll
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Folders\ibm00016.dll
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\8PYBGDMZ\qpjvq[1].txt
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\8PYBGDMZ\rpxsdpoa[1].txt
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\8PYBGDMZ\zqlxfrp[1].htm
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\8PYBGDMZ\z[1].jpg
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\OX6ROT6J\lewl[1].exe
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\OX6ROT6J\lewl[2].exe
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\OX6ROT6J\lgkqadw[1].txt
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\OX6ROT6J\lgkqadw[2].txt
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\OX6ROT6J\qtonlgf[1].txt
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\OX6ROT6J\qtonlgf[2].txt
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\W1YV016Z\bweql[1].txt
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\W1YV016Z\bweql[2].txt
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\W1YV016Z\fdygedc[1].txt
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\WDQZ05YF\fdygedc[1].txt
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\WDQZ05YF\fdygedc[2].txt
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\WDQZ05YF\pxfvqsr[1].txt
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\WDQZ05YF\qpjvq[1].txt
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\WDQZ05YF\zqlxfrp[1].htm
C:\Documents and Settings\Pedro Rodriguez\Configuración local\Archivos temporales de Internet\Content.IE5\97NF5LCE\drsmartload45a[1].exe
C:\Documents and Settings\Pedro Rodriguez\cz32.exe
C:\Documents and Settings\Pedro Rodriguez\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-2a371830.zip
C:\WINDOWS\keyboard9.exe
C:\WINDOWS\newname9.exe
C:\WINDOWS\OEM.exe
C:\WINDOWS\OEM.exe.bak
C:\WINDOWS\system32\cbaxu.dll
C:\WINDOWS\system32\dr32.exe
C:\WINDOWS\system32\efcax.dll
C:\WINDOWS\system32\geecb.dll
C:\WINDOWS\system32\kernels8.exe
C:\WINDOWS\system32\ljjkh.dll
C:\WINDOWS\system32\pmkif.dll
C:\WINDOWS\system32\rm32.dll
C:\WINDOWS\system32\svch82.dll
C:\WINDOWS\system32\vtsqn.dll
C:\WINDOWS\system32\vxd32.dll
C:\WINDOWS\system32\win_f.exe
C:\WINDOWS\system32\wvwuu.dll
C:\WINDOWS\Temp\1.exe
C:\WINDOWS\Temp\adv.exe
C:\WINDOWS\system32\ntsec.exe


4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the Do You Want to Reboot Now prompt.

After reboot, go to Start >Run and type or copy/paste this into the run box:

sc delete NTSec

Then please post a new HijackThis log.
  • 0

#10
pedroparra
Posted 10 April 2006 - 07:24 AM

pedroparra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I couldn't delete on reboot because when I pressed the YES button at the confirmation of REBOOT I got a message that a external process deleted some registre.

AnyWay I delete the files using the option STANDARD FILE KILL and here is my HICJACKTHIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 15:05:50, on 10/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE
C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe
C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\TBMon.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Telefonica\KitAIM\AimMon.exe
C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Pedro Rodriguez\Escritorio\VSE80iLES\Setup.exe
C:\Temp\delete paytime\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo.com/
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AgenteADSL_15] C:\Archivos de programa\Telefonica\KitAIM\AimExDll.exe AimGestA.dll 9 run
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Archivos de programa\Nokia\Nokia PC Suite 5\PcSync2.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1144446099482
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1144446257940
O23 - Service: Servicio de registro de McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NTSec(ntsec) (NTSec) - Unknown owner - C:\WINDOWS\system32\ntsec.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


There is a entry or NTSEC very suspicious.

Thanks a lot I will recommend you page and your sponsords at my friends. You are great!

Pedro
  • 0

#11
Armodeluxe
Posted 10 April 2006 - 07:31 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
When we deleted the file, the entry became visible.

Go to Start > Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:

NTSec(ntsec) (NTSec)

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

NTSec

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

Post a new HiJackThis log after it reboots and let me know if you have any problems left.
  • 0

#12
pedroparra
Posted 10 April 2006 - 05:18 PM

pedroparra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
After you last help my computer is more cleaner and functions faster!

Here is the last Hijackthis log: ----------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:16:09, on 11/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE
C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe
C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Telefonica\KitAIM\AimMon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Temp\delete paytime\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo.com/
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AgenteADSL_15] C:\Archivos de programa\Telefonica\KitAIM\AimExDll.exe AimGestA.dll 9 run
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Archivos de programa\Nokia\Nokia PC Suite 5\PcSync2.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1144446099482
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1144446257940
O23 - Service: Servicio de registro de McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


The computer seems pretty cleaner!

Thanks
  • 0

#13
Armodeluxe
Posted 11 April 2006 - 05:45 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Now let's reset your restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Please take the following into consideration to maintain a clean computer.

I'll also recommend you to install a monitoring software which will monitor certain areas on your computer and will place alerts when those are being modified. One such software I'll recommend is Prevx, but it's for advanced users as the messages it displays can be hard to decipher. One other similar but more user friendly software is Winpatrol. Both are free programs.
Winpatrol
Prevx

Visit Windows Update regularly to get the latest security updates.You can also enable automatic updates.Your antivirus software and antispyware programs should also be updated regularly. Make a habit of running scans on a timely basis. Be careful about what you download, scan every file before clicking on it.

Additional programs to consider:

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.Restricts the actions of potentially unwanted sites in Internet Explorer.
Spywareguard An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
IE/Spyad
Adds a list of malicious sites to your Restricted Sites Zone.
Firefox An alternate browser safer than IE

A good article to read:
So how did I get infected in the first place?

Regards,

Armodeluxe
  • 0

#14
Armodeluxe
Posted 18 April 2006 - 11:39 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP